CVE-2005-3208

aeNovo <version> - SQL Injection

Title source: llm

Description

Multiple SQL injection vulnerabilities in (1) aeNovo, (2) aeNovoShop and (3) aeNovoWYSI allow remote attackers to execute arbitrary SQL code via (a) the password parameter in control.asp, and (b) the strSQL parameter in search.asp, which can enable XSS attacks in resulting error messages.

Exploits (2)

exploitdb WORKING POC VERIFIED

by farhad koosha · htmlwebappsasp

https://www.exploit-db.com/exploits/26333

View Code ZIP pw:eip

exploitdb WRITEUP VERIFIED

by farhad koosha · textwebappsasp

https://www.exploit-db.com/exploits/26334

View Code ZIP pw:eip

References (10)

[Vendor Advisory] http://secunia.com/advisories/17117/

[Third Party Advisory, VDB Entry] http://www.osvdb.org/19936

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/15036

[Mailing List] http://marc.info/?l=bugtraq&m=112872593432359&w=2

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/22553

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/22551

[Exploit, Vendor Advisory] http://www.kapda.ir/advisory-78.html

[Exploit] http://www.securityfocus.com/bid/15038

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/22547

[Third Party Advisory, VDB Entry] http://www.osvdb.org/19937

Scores

EPSS 0.0654

EPSS Percentile 91.2%

Details

Status published

Products (3)

aenovo/aenovo

aenovo/aenovoshop

aenovo/aenovowysi

Published Oct 14, 2005

Tracked Since Feb 18, 2026